Skip to main content

Supported Formats

Inputs

Signing Key

Supported signature formats through the signature key parameter:

EncryptionFormatSupported
ECDSA 256PEM
RSA 2048PEM

Artifact Digest

Supported digest algorithms through the Subjects parameter:

AlgorithmSupported
SHA 256

Outputs

SLSA Provenance

To trace software back to the source and define the moving parts in a complex supply chain, provenance needs to be there from the very beginning. It’s the verifiable information about software artifacts describing where, when, and how something was produced. For higher SLSA levels and more resilient integrity guarantees, provenance requirements are stricter and need a deeper, more technical understanding of the predicate.

StandardSupportedSpecification URL
v1https://slsa.dev/provenance/v1

In-toto Attestation

The in-toto Attestation Framework provides a specification for generating verifiable claims about any aspect of how a piece of software is produced. Consumers or users of the software can then validate the origins of the software and establish trust in its supply chain using in-toto attestations.

StandardSupportedSpecification URL
v1https://in-toto.io/Statement/v1

DSSE Envelope

The Envelope is the outermost layer of the attestation, handling authentication, and serialization.

StandardSupportedSpecification URL
DSSE v1https://github.com/secure-systems-lab/dsse